Calculating risk weight
The risk weight is specified as a value from 20 percent to 100 percent. 20 percent represents the lowest weight for a risk, and 100 percent represents the highest.
You can set the value in 20 percent increments to 20, 40, 60, 80, or 100. The value of the weight is used as a multiplier for the risk value.
When risk values are used to compute the risk, weights are used to calculate the importance of a risk value. The risk is multiplied by the weight, and then added to the other risks multiplied by their weights. The calculated risk can be produced by the summation of each risk multiplied by its weight, and divided by the total weight of all risks.
------------------------------------------------------------ = Calculated Risk
Weight1 + Weight2 + Weight3
When the calculation is complete, the Risk Value will be either a whole number or some decimal number. Given that the Risk Value is an integer, the system compares the calculated Risk Level value to a range of Risk Levels defined in the CHG:ChangeRiskRanges form (a backend form) to get the corresponding integer value.
For example, out of the box, one of the ranges is 4.000001 to 5.00000, which gives a Risk Level of 5. So, if the calculated Risk Level value is any number in this range, the system sets the Risk Level to 5. You can customize these ranges if needed, but you need to ensure that there are no gaps between the ranges. For example, if the Risk Level 1 is set from 0.000000 to 1.500000, Risk Level 2 should start at 1.500001.
Rounding the calculated risk number
The calculated risk does not result in a whole number. The results must be rounded to the appropriate whole number.
Instead of rounding to the nearest number, a lookup form is used to determine what the whole number value should be. The lookup table is stored on the Change Risk Ranges (CHG:ChangeRiskRanges) form. By default, the values are set up to move any non-whole number to the next highest number.
- 2.59 becomes 3
- 2.00001 becomes 3
- 3.99 becomes 4
The logic here is that no risk should be downplayed. Any risk greater than the whole number should be shown as the next risk up. So the resulting calculated risk is used to do a lookup against the Change Risk Ranges form, and the whole number value stored on the form is used as the risk.
Example of calculating the aggregate risk value
This example provides an overview of how BMC Helix ITSM: Change Management calculates aggregate risk value and how the weighting works.
This example works through a very simple case with two questions and one derived performance rating.
Question 1 — Can the change be easily rolled back? (Question Weight 20)
- Yes (Risk 1)
- No (Risk 5)
Question 2 — How many people does the change impact? (Question Weight 100)
- 1-20 (Risk 1)
- 21-40 (Risk 2)
- 41-60 (Risk 3)
- 61-80 (Risk 4)
- 81 or more (Risk 5)
Derived risk — Change manager's performance (Weight 60)
For the change request example, the following data is used:
- Question 1 — No (Risk 5)
- Question 2 — 21-40 (Risk 2)
- Derived Risk — Mary Mann
First, you must determine the risk of Mary Mann. Mary has been involved in 10 changes as CAB Manager. In these changes, Mary has acquired an overall performance rating of 2. You can use the performance rating to determine risk. The relationship between Performance Ratings and Aggregate Risk Value is inverse, so the overall Risk of Mary Mann is 4. The lower the performance, the higher the risk.
You now can perform the calculations on this data.
------------------------------------------------------------ = Calculated Risk
Weight1 + Weight2 + Weight3
--------------------------------- = ------ = 3
20 + 100 + 60 180
Using the formula for calculating risk weight, the aggregate risk value is 3. Each change request has a risk value computed for it as the information about the change is modified. When you first save the change, a risk is initially computed based on the derived factors. Then when you answer, or change the answer to risk questions, and then save the change, the risk is computed again.
You can run a risk report to aid you in understanding what information was used to compute the risk that is shown on the change request. For more information about Risk Reports, see Computing-risk-levels.
Risk level is the anticipated risk for the proposed change. The values are from 5 (highest risk) to 1 (lowest risk). For more information, see the following figure:
Example of risk factor configuration
This example explains the risk factor configuration data for the Calbro Systems company to show how the system sets the risk level for a change request. When you create your own risk factor configuration data, note that the process will likely be iterative for you to get the desired risk levels for your given change use cases.
In this example, we have configured the following questions with the related risk weights and values within the Risk Factors Configuration form. This example explains how the system uses the data to calculate the risk level.
Risk factor | Risk weight | Risk values |
|---|---|---|
Will the change require a scheduled down time? | 60% | Yes – Risk Value = 5 |
Will the change affect more than one CI? | 100% | Yes – Risk Value = 5 |
Can the change be rolled back easily? | 100% | Yes – Risk Value = 1 |
Is this a standard change that has been successfully done before? | 60% | Yes – Risk Value = 1 |
In addition, we have also configured the following derived risk factors:
Derived risk factor | Field name | Risk weight |
Maximum priority of Configuration Items | CI Priority | 100% |
Performance rating of change coordinator | Change Coordinator | 60% |
Risk calculation based on change impact | Change Impact | 100% |
When we create a new change request where the Change Location Company is Calbro Systems, the system selects the above risk factors configuration and applies the risk questions and the derived risk factors to calculate the risk level as shown below.
- While creating the change request, set the value of Change Impact to 3-Moderate/Limited as this is used by the Risk Calculation based on Change Impact derived risk factor.
Relate the CI that the change request is changing.
The following CI Priority value is PRIORITY_4 as defined in CMDB because this value is used by the Maximum Priority of Configuration Items derived risk factor.
- Answer the risk factor questions as follows:
After you save the change request, the Risk Level automatically sets to Risk Level 3 as shown below:
To see how Risk Level 3 was determined, plug in each risk factor risk value and risk weight into the risk level equation. Note that there are four risk factor questions and three derived risk factors.
Risk factor value | Weight value | Risk factor values come from |
|---|---|---|
|
| Question: Will the change require a scheduled down time? |
|
| Question: Will the change affect more than one CI? |
|
| Question: Can the change be rolled back easily? |
|
| Question: Is this a standard change that has been successfully done before? |
|
| Derived Risk Factor: Maximum priority of Configuration Items
The system then runs the CI Priority value through the calculations to get the final Risk Level equivalent. It then sets CI Priority = CI Priority + 1, so CI Priority = 2 and then sets CI Priority = (5 - CI Priority) +1, so CI Priority = (5-2) +1 = 4, which becomes the risk level equivalent. |
|
| Derived Risk Factor: Performance rating of the change coordinator. The risk value is determined by the data that has been calculated over time within the CHG:Risk Derived Factors form. For the change coordinator. there is only one previous rating.
The risk value is the average performance rating over time. |
|
| Derived Risk Factor: Risk calculation based on change impact. The system derives the risk level by taking the equivalent enumerated value for 3-Moderate/Limited, which is 3000 as seen from Developer Studio.
The system then runs the Change Impact value through the following calculations to get the final risk level equivalent. It the sets Change Impact = Change Impact / 1000 = 3 and then sets Change Impact = (4 - Change Impact) +1, so Change Impact = (4-3) +1 = 2 which becomes the risk level equivalent. |
The following equation contains the preceding table values:
The equation returns the value as 3. When comparing this value to the data in the CHG:ChangeRiskRanges form, the range falls between 2.000001 and 3.000000, which equates to a Risk Level to 3.
For additional information about risks, see the Risk Assessment in Change Management article on BMC Communities. Also, seeConfiguring risk assessment .